ID

VAR-202106-0955


CVE

CVE-2021-24012


TITLE

FortiGate  Vulnerability in Certificate Verification

Trust: 0.8

sources: JVNDB: JVNDB-2021-007795

DESCRIPTION

An improper following of a certificate's chain of trust vulnerability in FortiGate versions 6.4.0 to 6.4.4 may allow an LDAP user to connect to SSLVPN with any certificate that is signed by a trusted Certificate Authority. FortiGate Contains a certificate validation vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Fortinet FortiGate is a network security platform developed by Fortinet. The platform provides functions such as firewall, antivirus and intrusion prevention (IPS), application control, antispam, wireless controller and WAN acceleration. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components. The following products and versions are affected: FortiGate: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4

Trust: 2.25

sources: NVD: CVE-2021-24012 // JVNDB: JVNDB-2021-007795 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-382730

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:ltversion:6.4.5

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:6.4.0

Trust: 1.0

vendor:フォーティネットmodel:fortiosscope:eqversion:6.4.0 to 6.4.4

Trust: 0.8

vendor:フォーティネットmodel:fortiosscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-007795 // NVD: CVE-2021-24012

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-24012
value: HIGH

Trust: 1.0

psirt@fortinet.com: CVE-2021-24012
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-24012
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202106-016
value: HIGH

Trust: 0.6

VULHUB: VHN-382730
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-24012
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-382730
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-24012
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 3.4
version: 3.1

Trust: 1.0

psirt@fortinet.com: CVE-2021-24012
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.2
impactScore: 3.7
version: 3.1

Trust: 1.0

NVD: CVE-2021-24012
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-382730 // JVNDB: JVNDB-2021-007795 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-016 // NVD: CVE-2021-24012 // NVD: CVE-2021-24012

PROBLEMTYPE DATA

problemtype:CWE-295

Trust: 1.1

problemtype:Bad certificate verification (CWE-295) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-382730 // JVNDB: JVNDB-2021-007795 // NVD: CVE-2021-24012

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-016

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:FG-IR-21-018url:https://www.fortiguard.com/psirt/FG-IR-21-018

Trust: 0.8

title:FortiGate Repair measures for trust management problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=152461

Trust: 0.6

sources: JVNDB: JVNDB-2021-007795 // CNNVD: CNNVD-202106-016

EXTERNAL IDS

db:NVDid:CVE-2021-24012

Trust: 3.3

db:JVNDBid:JVNDB-2021-007795

Trust: 0.8

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021060120

Trust: 0.6

db:AUSCERTid:ESB-2021.1888

Trust: 0.6

db:CNNVDid:CNNVD-202106-016

Trust: 0.6

db:VULHUBid:VHN-382730

Trust: 0.1

sources: VULHUB: VHN-382730 // JVNDB: JVNDB-2021-007795 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-016 // NVD: CVE-2021-24012

REFERENCES

url:https://fortiguard.com/advisory/fg-ir-21-018

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-24012

Trust: 1.4

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1888

Trust: 0.6

url:https://vigilance.fr/vulnerability/fortigate-man-in-the-middle-via-ssl-vpn-certificate-chain-trust-35584

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021060120

Trust: 0.6

sources: VULHUB: VHN-382730 // JVNDB: JVNDB-2021-007795 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-016 // NVD: CVE-2021-24012

SOURCES

db:VULHUBid:VHN-382730
db:JVNDBid:JVNDB-2021-007795
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202106-016
db:NVDid:CVE-2021-24012

LAST UPDATE DATE

2024-08-14T12:12:48.738000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-382730date:2021-06-14T00:00:00
db:JVNDBid:JVNDB-2021-007795date:2022-02-22T08:53:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202106-016date:2021-06-15T00:00:00
db:NVDid:CVE-2021-24012date:2021-06-14T14:56:53.057

SOURCES RELEASE DATE

db:VULHUBid:VHN-382730date:2021-06-02T00:00:00
db:JVNDBid:JVNDB-2021-007795date:2022-02-22T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202106-016date:2021-06-01T00:00:00
db:NVDid:CVE-2021-24012date:2021-06-02T13:15:12.673